ERP security

Last updated

ERP Security is a wide range of measures aimed at protecting Enterprise resource planning (ERP) systems from illicit access ensuring accessibility and integrity of system data. ERP system is a computer software that serves to unify the information intended to manage the organization including Production, Supply Chain Management, Financial Management, Human Resource Management, Customer Relationship Management, Enterprise Performance Management.

Contents

Review

ERP system integrates business processes enabling procurement, payment, transport, human resources management, product management, and financial planning. [1] As ERP system stores confidential information, the Information Systems Audit and Control Association (ISACA) recommends to regularly conduct a comprehensive assessment of ERP system security, checking ERP servers for software vulnerabilities, configuration errors, segregation of duties conflicts, compliance with relevant standards and recommendations, and recommendations of vendors. [2] [3]

Causes for vulnerabilities in ERP systems

Complexity

ERP systems process transactions and implement procedures to ensure that users have different access privileges. There are hundreds of authorization objects in SAP permitting users to perform actions in the system. In case of 200 users of the company, there are approximately 800,000 (100*2*20*200) ways to customize security settings of ERP systems. [4] With the growth of complexity, the possibility of errors and segregation of duties conflicts increases. [2]

Specificity

Vendors fix vulnerabilities on the regular basis since hackers monitor business applications to find and exploit security issues. SAP releases patches monthly on Patch Tuesday, Oracle issues security fixes every quarter in Oracle Critical Patch Update. Business applications are becoming more exposed to the Internet or migrate to the cloud. [5]

Lack of competent specialists

ERP Cybersecurity survey [6] revealed that organizations running ERP systems "lack both awareness and actions taken towards ERP security". [7] ISACA states that "there is a shortage of staff members trained in ERP security" [4] and security services have the superficial understanding of risks and threats associated with ERP systems. Consequently, security vulnerabilities complicate undertakings such as detecting and subsequent fixing. [5] [8]

Lack of security auditing tools

ERP security audit is done manually as various tools with ERP packages do not provide means for system security auditing. Manual auditing is a complex and time-consuming process that increases the possibility of making a mistake. [2]

Large number of customized settings

The system includes thousands of parameters and fine settings including segregation of duties for transactions and tables, and the security parameters are set for every single system. ERP system settings are customized according to customers' requirements.

Security issues in ERP systems

Security issues occur in ERP systems at different levels.

Network layer

Traffic interception and modification

In 2011, Sensepost specialists analyzed DIAG protocol used in SAP ERP system for transferring data from the client to the SAP server. Two utilities were published that allowed to intercept, decrypt, and modify client-server requests containing critical information. This made attacks possible including Man-in-the-middle attack. The second utility operates like a Proxy and was created to identify new vulnerabilities. It allowed modifying requests coming to client and server. [9]

In the SAP ERP system, it is possible to perform administering functions via Telnet protocol, which encrypts passwords.

Vulnerabilities in encryption or authentication protocols'

Vulnerabilities in protocols (e.g. RFC in SAP ERP and Oracle Net in Oracle E-Business Suite). RFC protocol is used (Remote Function Call) to connect two systems by TCP/IP in SAP ERP. RFC call is a function that enables calling and running a functional module located in a system. The ABAP language that is used for writing business applications for SAP have functions to make RFC calls. Several critical vulnerabilities were found in SAP RFC Library versions 6.x and 7.x: [10]

Operating system level

OS software vulnerabilities

Weak OS passwords

Insecure OS settings

Application vulnerabilities

ERP systems transfer more functionality on the web applications level with a lot of vulnerabilities:

Role-based access control

In ERP systems, RBAC (Role-Based Access Control) model is applied for users to perform transactions and gain access to business objects. [11] In the model, the decision to grant access to a user is made based on the functions of users, or roles. Roles are a multitude of transactions the user or a group of users performs in the company. Transaction is a procedure of transforming system data, which helps perform this transaction. For any role, there is a number of corresponding users with one or multiple roles. Roles can be hierarchical. After the roles are implemented in the system, transactions corresponding to each role rarely change. The administrator needs to add or delete users from roles. The administrator provides a new user with a membership in one or more roles. When employees leave the organization, the administrator removes them from all the roles. [12]

Segregation of Duties

Segregation or Separation of duties, also known as SoD, is the concept according to which a user cannot make a transaction without other users (e.g. a user cannot add a new supplier, write out a cheque or pay to a supplier) [13] and a risk of fraud is much lower. [14] SoD can be implemented by RBAC mechanisms, and a notion of mutually exclusive roles is introduced. For instance, to pay a supplier, one user initiates payment procedure and another accepts it. [15] In this case, initiating payment and accepting are mutually exclusive roles. Segregation of duties can be either static or dynamic. With static SoD (SSoD), a user cannot belong to two mutually exclusive roles. With dynamic SoD (DSoD), a user does but cannot perform them within one transaction. Both of them have their own advantages. SSoD is simple, while DSoD is flexible. [16] Segregation of Duties is explained in SoD matrix. X and Y matrixes describe system roles. If the two roles are mutually exclusive, there is a flag at the interception of the corresponding rows and columns.

ERP Security scanners

ERP Security scanner is a software intended to search for vulnerabilities in ERP systems. Scanner analyzes configurations of ERP system, searches for misconfigurations, access control and encryption conflicts, insecure components, and checks for updates. The scanner checks system parameters for compliance with the manufacturer's recommendations and auditing procedures ISACA. ERP Security scanners produce reports with the vulnerabilities listed according to their criticality.

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Password Authentication Protocol (PAP) is a password-based authentication protocol used by Point-to-Point Protocol (PPP) to validate users. PAP is specified in RFC 1334.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computer security, challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

The following tables compare general and technical information for a number of relational database management systems. Please see the individual products' articles for further information. Unless otherwise specified in footnotes, comparisons are based on the stable versions without any add-ons, extensions or external programs.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

Systems Applications Products audit is an audit of a computer system from SAP to check its security and data integrity. SAP is the acronym for Systems Applications Products. It is a system that provides users with a soft real-time business application. It contains a user interface and is considered very flexible. In an SAP audit the two main areas of concern are security and data integrity.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

<span class="mw-page-title-main">Separation of duties</span> Concept of having more than one person required to complete a task

Separation of duties (SoD), also known as segregation of duties, is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises. In the political realm, it is known as the separation of powers, as can be seen in democracies where the government is separated into three independent branches: a legislature, an executive, and a judiciary.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

IEC 62351 is a standard developed by WG15 of IEC TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. "What Is ERP?" . Retrieved 6 April 2018.
  2. 1 2 3 Security issues in ERP http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/sap-erp.aspx Archived 2015-11-09 at the Wayback Machine
  3. "Why security should be a priority for an ERP ecosystem". Information Age. 31 August 2017. Retrieved 6 April 2018.
  4. 1 2 ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution https://csbweb01.uncw.edu/people/ivancevichd/classes/MSA%20516/Extra%20Readings%20on%20Topics/Database/ERP%20Security.pdf
  5. 1 2 "ERP Security Deserves Our Attention Now More Than Ever". Forbes. 7 July 2017. Retrieved 6 April 2018.
  6. ERP Cybersecurity survey 2017 https://erpscan.com/research/white-papers/erp-cybersecurity-survey-2017/%5B%5D
  7. "Survey reveals the damage of fraud attacks against SAP system is estimated at $10m". CSO from IDG. 27 June 2017. Retrieved 6 April 2018.
  8. "Six classic ERP system security problems – and how to avoid them". CloudTech. 10 May 2017. Retrieved 6 April 2018.
  9. ERPScan warns about new vulnerabilities of DIAG protocol in SAP
  10. SAP RFC Library Multiple Vulnerabilities http://www.cnet.com/forums/post/7986898c-0a03-43d4-af70-b8427164c8e2
  11. Security for Enterprise Resource Planning Systems http://www.utdallas.edu/~bxt043000/Publications/Journal-Papers/DAS/J46_Security_for_Enterprise_Resource_Planning_Systems.pdf
  12. Role-Based Access Controls http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf
  13. ISACA Glossary Terms http://www.isaca.org/Knowledge-Center/Lists/ISACA%20Glossary%20Terms/DispForm.aspx?ID=1700
  14. A risk-based approach to segregation of duties http://www.ey.com/Publication/vwLUAssets/EY_Segregation_of_duties/$FILE/EY_Segregation_of_dutie/s.pdf
  15. R. A. Botha and J. H. P. Eloff Separation of Duties for Access Control Enforcement in Workflow Environments
  16. Simple Search http://www.bth.se/fou/cuppsats.nsf/all/52d12689b4758c84c12572a600386f1d/$file/mcs-2006-16.pdf Archived 2015-02-26 at the Wayback Machine
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.